Refs:
BUGTRAQ:20060607 [NOBYTES.COM: #12] ViArt Shop v2.5.5 - XSS Vulnerability
URL:http://www.securityfocus.com/archive/1/archive/1/436415/100/0/threaded
SECUNIA:20538
URL:http://secunia.com/advisories/20538
The Bugtraq post links to the following fix:
http://www.codetosell.com/downloads/xss_fix.zip
whose name is probably sufficient enough to prove an acknowledgement
of this report, but...
The xss_fix.zip file contains 3 executables:
block_forum_topic_new.php
block_forum_topics.php
block_reviews.php
Downloading the original 2.5.5 files (still available on the vendor
web site) and doing a diff with the fix yields results such as this
one for block_forum_topic_new.php:
< $sql .= " WHERE forum_id=" . $db->tosql($forum_id, INTEGER);
---
> $sql .= " WHERE forum_id=" . $forum_id;
These are in the forum_topic_new function. But before we get to that
point, we have:
$forum_id = get_param("forum_id");
So, we have an SQL injection problem here.
Back to the XSS.
For block_reviews.php we have the reviews function:
< $t->set_var("column_id", htmlspecialchars($column_id));
< $t->set_var("column_name", htmlspecialchars($column_name));
---
> $t->set_var("column_id", $column_id);
> $t->set_var("column_name", $column_name);
and $column_id comes from:
$column_id = get_param("item_id");
Note - based on surface level analysis, $column_name is only set to
static values.
and for the forum_topics_show function in block_forum_topics.php we
have:
< $forum_topic_new_url = "forum_topic_new.php?forum_id=" . urlencode($forum_id);
---
> $forum_topic_new_url = "forum_topic_new.php?forum_id=" . $forum_id;
and this is called from forum.php.
*phew* that hurt.
- Steve